{"uuid": "e7dbc499-dcc3-46eb-90a4-fe546478bf5d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-56664", "type": "seen", "source": "https://t.me/cvedetector/13766", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-56664 - Linux kernel bpf sockmap race condition vulnerability.\", \n \"Content\": \"CVE ID : CVE-2024-56664 \nPublished : Dec. 27, 2024, 3:15 p.m. | 32\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nbpf, sockmap: Fix race between element replace and close() \n \nElement replace (with a socket different from the one stored) may race \nwith socket's close() link popping & unlinking. __sock_map_delete() \nunconditionally unrefs the (wrong) element: \n \n// set map[0] = s0 \nmap_update_elem(map, 0, s0) \n \n// drop fd of s0 \nclose(s0) \n sock_map_close() \n lock_sock(sk) (s0!) \n sock_map_remove_links(sk) \n link = sk_psock_link_pop() \n sock_map_unlink(sk, link) \n sock_map_delete_from_link \n // replace map[0] with s1 \n map_update_elem(map, 0, s1) \n sock_map_update_elem \n (s1!) lock_sock(sk) \n sock_map_update_common \n psock = sk_psock(sk) \n spin_lock(&stab->lock) \n osk = stab->sks[idx] \n sock_map_add_link(..., &stab->sks[idx]) \n sock_map_unref(osk, &stab->sks[idx]) \n psock = sk_psock(osk) \n sk_psock_put(sk, psock) \n if (refcount_dec_and_test(&psock)) \n sk_psock_drop(sk, psock) \n spin_unlock(&stab->lock) \n unlock_sock(sk) \n __sock_map_delete \n spin_lock(&stab->lock) \n sk = *psk // s1 replaced s0; sk == s1 \n if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch \n sk = xchg(psk, NULL) \n if (sk) \n sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle \n psock = sk_psock(sk) \n sk_psock_put(sk, psock) \n if (refcount_dec_and_test()) \n sk_psock_drop(sk, psock) \n spin_unlock(&stab->lock) \n release_sock(sk) \n \nThen close(map) enqueues bpf_map_free_deferred, which finally calls \nsock_map_free(). This results in some refcount_t warnings along with \na KASAN splat [1]. \n \nFix __sock_map_delete(), do not allow sock_map_unref() on elements that \nmay have been replaced. \n \n[1]: \nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 \nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 \n \nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 \nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 \nWorkqueue: events_unbound bpf_map_free_deferred \nCall Trace: \n \n dump_stack_lvl+0x68/0x90 \n print_report+0x174/0x4f6 \n kasan_report+0xb9/0x190 \n kasan_check_range+0x10f/0x1e0 \n sock_map_free+0x10e/0x330 \n bpf_map_free_deferred+0x173/0x320 \n process_one_work+0x846/0x1420 \n worker_thread+0x5b3/0xf80 \n kthread+0x29e/0x360 \n ret_from_fork+0x2d/0x70 \n ret_from_fork_asm+0x1a/0x30 \n \n \nAllocated by task 1202: \n kasan_save_stack+0x1e/0x40 \n kasan_save_track+0x10/0x30 \n __kasan_slab_alloc+0x85/0x90 \n kmem_cache_alloc_noprof+0x131/0x450 \n sk_prot_alloc+0x5b/0x220 \n sk_alloc+0x2c/0x870 \n unix_create1+0x88/0x8a0 \n unix_create+0xc5/0x180 \n __sock_create+0x241/0x650 \n __sys_socketpair+0x1ce/0x420 \n __x64_sys_socketpair+0x92/0x100 \n do_syscall_64+0x93/0x180 \n entry_SYSCALL_64_after_hwframe+0x76/0x7e \n \nFreed by task 46: \n kasan_save_s[...]", "creation_timestamp": "2024-12-27T16:50:57.000000Z"}